Yunyu Liu,Zhiyang Xia,Ping Yi,Yao Yao,Tiantian Xie,Wei Wang,Ting Zhu

DOI: https://doi.org/10.1109/ICC.2018.8422243

2018-01-01

Abstract:Password has become today's dominant method of authentication in social network. While the brute-force attack methods, such as HashCat and John the Ripper, are unpractical, the research then switches to the password guess. The stateof-the-art approaches, such as Markov Model and probabilistic context-free grammars(PCFG), are all based on statistical probability. These approaches have a low matching rate. The methods on neural network have been proved more accurate and practical for password guessing than traditional methods. However, a raw neural network model is not qualified for cross-sites attack since each data set has its own features.This paper proposes a general deep learning model for password guessing, called GENPass. GENPass can learn features from several data sets and ensure the output wordlist high accuracy in different data sets by using adversarial generation. The password generator of GENPass is PCFG+LSTM(PL), where LSTM is a kind of Recurrent Neural Network. We combine neural network with PCFG because we found people were used to set their passwords with meaningful strings. Compared with LSTM, PL increased the matching rate by 16%-30% in the cross-sites tests when learning from a single dataset. GENPass uses several PL models to learn datasets and generate passwords. The result shows that the matching rate of GENPass is 20% higher than that of simply mixing those datasets in the cross-sites test.

Zhiyang Xia,Ping Yi,Yunyu Liu,Bo Jiang,Wei Wang,Ting Zhu

DOI: https://doi.org/10.1109/tmm.2019.2940877

IF: 7.3

2020-01-01

IEEE Transactions on Multimedia

Abstract:The password has become today's dominant method of authentication. While brute-force attack methods such as HashCat and John the Ripper have proven unpractical, the research then switches to password guessing. State-of-the-art approaches such as the Markov Model and probabilistic context-free grammar (PCFG) are all based on statistical probability. These approaches require a large amount of calculation, which is time-consuming. Neural networks have proven more accurate and practical in password guessing than traditional methods. However, a raw neural network model is not qualified for cross-site attacks because each dataset has its own features. Our work aims to generalize those leaked passwords and improves the performance in cross-site attacks. In this paper, we propose GENPass, a multi-source deep learning model for generating "general" password. GENPass learns from several datasets and ensures the output wordlist can maintain high accuracy for different datasets using adversarial generation. The password generator of GENPass is PCFG+LSTM (PL). We are the first to combine a neural network with PCFG. Compared with Long short-term memory (LSTM), PL increases the matching rate by 16%-30% in cross-site tests when learning from a single dataset. GENPass uses several PL models to learn datasets and generate passwords. The results demonstrate that the matching rate of GENPass is 20% higher than by simply mixing datasets in the cross-site test. Furthermore, we propose GENPass with probability (GENPass-pro), the updated version of GENPass, which can further increase the matching rate of GENPass.

Shunbin Li,Zhiyu Wang,Ruyun Zhang,Chunming Wu,Hanguang Luo

DOI: https://doi.org/10.1109/tdsc.2022.3217002

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Rule-based password generation is one of the most effective and often employed techniques in the highly compute-intensive password recovery process. However, it is challenging to design and maintain a practical password mangling ruleset, which is a time-consuming task requiring specialized expertise. This paper therefore introduced MDBSCAN (Modified Density-Based Spatial Clustering of Applications with Noise), a novel density-based cluster approach in machine learning, to build an automatic password mangling rule generator. To evaluate the proposed method, cross-checks across 4 different real-world password datasets leaked from popular Internet services and applications are adopted. The results indicate that the proposed generator could produce high-quality mangling rules with a better hit rate and enhance current mangling rules by identifying hidden or omitted rules. The proposed approach also shows strong interpretability and computational efficiency. When examining the RockYou password dataset with the top 77 rules, the hit rate may rise by 11% to 104% proportionally to other well-known solutions. Furthermore, by combining the top 77 rules generated by MDBSCAN with those from other rulesets, 3–12.67% more real-world passwords can be retrieved.

Erqiang Zhou,Yejian Peng,Guanghui Shao,Fuhu Deng,Yurun Miao,Wulong Fan

DOI: https://doi.org/10.1016/j.future.2023.09.013

2024-01-01

Abstract:Textual password is one of the most important authentic means used in modern information systems and password cracking is an important means of measuring password strength. Recently, data-driven approaches are proposed in order to improve the efficiency and accuracy of the password guessing process. These methods usually train a model based on leaked password datasets so as to capture the internal patterns hidden behind the human created passwords, and most of them focus on the relationships between characters within a password. In this article, we emphasizes that the character relations between passwords need also to be considered. We treat a password as a sequence of chunks or segments, which is a small sub-string of the password and appears frequently in a password dataset. Instead of modeling the relations of chunks within a password, we proposed a method, which selects a seed password from a training set, breaks the seed password into chunks, and then generates new passwords by choosing a chunk and replacing it with another one according to their similarities. Several experiments are conducted on three password datasets so as to evaluate different aspects of the proposed approach. The results show that the proposed method is comparable with the state-of-the-art approaches, such as PassGAN, DPG, FLA and PCFG v4.3, which is the latest version of PCFG. The results also revealed that chunk level relations between passwords play an important role in the process of password creation.

Ruixin Shi,Yongbin Zhou,Yong Li,Weili Han

DOI: https://doi.org/10.1155/2021/5563884

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Researchers proposed several data-driven methods to efficiently guess user-chosen passwords for password strength metering or password recovery in the past decades. However, these methods are usually evaluated under ad hoc scenarios with limited data sets. Thus, this motivates us to conduct a systematic and comparative investigation with a very large-scale data corpus for such state-of-the-art cracking methods. In this paper, we present the large-scale empirical study on password-cracking methods proposed by the academic community since 2005, leveraging about 220 million plaintext passwords leaked from 12 popular websites during the past decade. Specifically, we conduct our empirical evaluation in two cracking scenarios, i.e., cracking under extensive-knowledge and limited-knowledge. The evaluation concludes that no cracking method may outperform others from all aspects in these offline scenarios. The actual cracking performance is determined by multiple factors, including the underlying model principle along with dataset attributes such as length and structure characteristics. Then, we perform further evaluation by analyzing the set of cracked passwords in each targeting dataset. We get some interesting observations that make sense of many cracking behaviors and come up with some suggestions on how to choose a more effective password-cracking method under these two offline cracking scenarios.

Ming Xu,Chuanwang Wang,Jitao Yu,Junjie Zhang,Kai Zhang,Weili Han

DOI: https://doi.org/10.1145/3460120.3484743

2021-01-01

Abstract:ABSTRACTTextual password security hinges on the guessing models adopted by attackers, in which a suitable password composition representation is an influential factor. Unfortunately, the conventional models roughly regard a password as a sequence of characters, or natural-language-based words, which are password-irrelevant. Experience shows that passwords exhibit internal and refined patterns, e.g., "4ever, ing or 2015", varying significantly among periods and regions. However, the refined representations and their security impacts could not be automatically understood by state-of-the-art guessing models (e.g., Markov). In this paper, we regard a password as a composition of several chunks, where a chunk is a sequence of related characters that appear together frequently, to model passwords. Based on the concept, we propose a password-specific segmentation method that can automatically split passwords into several chunks, and then build three chunk-level guessing models, adopted from Markov, Probabilistic Context-free Grammar (PCFG) and neural-network-based models. Based on the extensive evaluation with over 250 million passwords, these chunk-level models can improve their guessing efficiency by an average of 5.7%, 51.2% and 41.9%, respectively, in an offline guessing scenario, showcasing the power of a suitable password representation during attacks. By analysing these efficient attacks, we find that the presence of common chunks in a password is a stronger indicator for password vulnerability than the character class complexity. To protect users against such attacks, we develop a client-side and real-time password strength meter to estimate the passwords' resistance based on chunk-level guessing models.

Chen Ruihao,Qiu Weidong

DOI: https://doi.org/10.3969/j.issn.1007-757X.2015.04.014

2015-01-01

Abstract:This paper proposes an analyzing method which is fit for a large number of passwords. By building up a neural network model, it can analyze and dig for potential relationships between password attributes. After attribute assignment for passwords of different application types, it can utilize neural network tool in MATLAB to finish model building, training and simulation testing, in order to find out potential and valuable relationships or rules between attributes. With such relationships, it can help to deduce un-known attribute values from the already known ones, or provide some directivity help for password cracking and recovery work by generating brute force cracking dictionary, which reflects the users’ habits of password setting.

Wei-Li HAN,Lang YUAN,Si-Si LI,Xiao-Yang WANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.01151

2017-01-01

Chinese Journal of Computers

Abstract:Large-scale real user password sets are well regarded important in the field of system security research,due to their usages in evaluating the efficacy of the algorithms that guess passwords,and detecting defects of existing password protection mechanisms,etc.At present,some ways of capturing real passwords are available for researchers,such as accidental or malicious passwords disclosure,voluntary user contributions,or sharing by voluntary websites for research purposes.However,there are some serious limitations involved in collecting user password sets in the above ways.For example,password sets that are captured from passwords disclosure may have been tampered,and therefore their quality cannot be guaranteed.What's more,types of these password sets are limited.As a result,it is still difficult for researches to have access to the large-scale clear-text user passwords in a systematic manner.Motivated to resolve the above issue,this paper presents a sample perturbation based password generation algorithm(SPPG for short).The algorithm is to use a given small-scale real user password sample as a training set to generate a probability model that can then be used to provide large-scale password sets.The small-scale sample is relatively easier to obtain.With the purpose of improving the authenticity of the simulation password sets,the SPPG algorithm is designed based on the idea of sample perturbation.On the one hand,the algorithm takes advantage of the Probabilistic Context-Free Grammar to parse the sample,and then generates passwords that have the same structures with passwords in the sample.On the other hand,it also utilizes rules that are frequently used for users to deform their passwords,and then generates passwords that are similar to passwords in the sample.To evaluate the efficacy of the SPPG algorithm,this paper presents a set of criteria to evaluate the quality of the simulation password sets.These criteria include the coverage rate of the real passwords,the goodness of fit to the Zipf distribution,the similarity of password structure distributions and the proportion of special patterns.In the end,this paper compares the efficacy of the SPPG algorithm with the popular probability models of password guessing,including the Probabilistic Context-Free Grammar and several variants of the Markov models.In the experiment,small-scale samples are randomly selected from real user password sets,and then are used by different models to generate the simulation password sets.The experiment results show that the SPPG algorithm has better performances.On average,the coverage of the real passwords is improved by 9.58％ and 72.79％ respectively compared with the Probabilistic Context-Free Grammar and the 4-order Markov model.And the coverage of the real passwords is 10.34 times more than the 3-order Markov model and 13.41 times more than the 1-order Markov model.Besides,the goodness of fit to the Zipf distribution remains at a high level that is no less than 0.9.As for the password structure distribution and the proportion of special patterns,simulation password sets generated by the SPPG algorithm are also shown to be more similar to the real password sets compared with simulation password sets generated by the other models.

Yushuo Guan,Yuanxing Zhang,Lin Chen,Kaigui Bian

DOI: https://doi.org/10.1109/ICCChina.2019.8855847

2019-01-01

Abstract:In many scenarios, one has to enter her text or graphical password in a public area, such as unlocking the smartphone on the street, and entering the password when she pays with a debit card in a shopping mall. However, the environment where the password is entered may be adversarial as it is almost impossible to prevent adversaries from premeditated installation of surveillance and/or eavesdropping equipment in public areas. In this work, we investigate password security in such extreme adversarial environments in which every single interaction between humans (provers) and input terminals (verifiers) is transparent to the attacker. We first present a neural network-based attack model, which consists of a feature extraction model and a prediction model. Experimental results show that the neural model attains an accuracy of more than 80% in password prediction in three real-world authentication systems. We also propose a risk alert system based on the attack model. It can issue a timely warning notice when the password in use is at high security risk.

Rui Xu,Xiaojun Chen,Jinqiao Shi

DOI: https://doi.org/10.1145/3297280.3297464

2019-01-01

Abstract:Passwords will continue to be the most prevalent form of authentication in the foreseeable future. But passwords often consist of some common segments which are easy to be predicted and attacked. Lots of methods have been proposed to describe password construction by regarding passwords as sequences of characters or segments. They are mainly based on statistical language models, for example Markov models and Probabilistic Context-Free Grammars. Recently, some researchers show that character-level recurrent neural networks can often outperform the previous methods. However, passwords usually consist of coarse-grained memorable units rather than fine-grained random characters. In this paper, we propose a memorable unit-based recurrent neural networks to model password construction. We first split passwords into memorable units (i.e., segments) with seven kinds of patterns and further split non-semantic pure letter and digit units into shorter units. Then, we build a unit-level recurrent neural network to predict the next unit with previous context units. Experiment results demonstrate that our coarse-grained unit-level model can reduce the search space during generating password guesses, which means our model obtains higher efficiency than the fine-grained character-level model.

Liping Li,Qinglei Zhou,Bin Li,Xueming Si

DOI: https://doi.org/10.1109/CyberC.2018.00014

2018-01-01

Abstract:Identity authentication is the first line of defense to ensure the security of information systems, and passwords are the most widely used authentication method. Choosing a valid password structure is an effective way to prevent password attacks, such as password dictionary attack. This article talked 68386069 real plaintext passwords with statistical their various features, summarized several rules for generating highly utilized passwords in certain styles. Based on these statistical features and rules, it generated high-probability password structure gene banks. With them, it formulates a dictionary to generate the candidate passwords. Thereby, this can enhance the efficiency of password recovery. We conducted extensive experiments by the real password test data, and the experimental results, compared with the dictionary provided by major websites, show that the dictionary of high probability password structure hit rate increased by about 30%. At the same time, this dictionary can save about one-third of the running time.

Junbin Ye,Min Jin,Guoliang Gong,Rongxuan Shen,Huaxiang Lu

DOI: https://doi.org/10.3390/s22176484

2022-08-29

Abstract:The frequent incidents of password leakage have increased people's attention and research on password security. Password guessing is an essential part of password cracking and password security research. The progression of deep learning technology provides a promising way to improve the efficiency of password guessing. However, the mainstream models proposed for password guessing, such as RNN (or other variants, such as LSTM, GRU), GAN and VAE still face some problems, such as the low efficiency and high repetition rate of the generated passwords. In this paper, we propose a password-guessing model based on the temporal convolutional neural network (PassTCN). To further improve the performance of the generated passwords, we propose a novel password probability label-learning method, which reconstructs labels based on the password probability distribution of the training set and deduplicates the training set when training. Experiments on the RockYou dataset showed that, when generating 108 passwords, the coverage rate of PassTCN with password probability label learning (PassTCN-PPLL) reached 12.6%, which is 87.2%, 72.6% and 42.9% higher than PassGAN (a password-guessing model based on GAN), VAEPass (a password-guessing model based on VAE) and FLA (a password-guessing model based on LSTM), respectively. The repetition rate of our model is 25.9%, which is 45.1%, 31.7% and 17.4% lower than that of PassGAN, VAEPass and FLA, respectively. The results confirm that our approach not only improves the coverage rate but also reduces the repetition rate.

Yangde Wang,Haozhang Li,Weidong Qiu,Shujun Li,Peng Tang

DOI: https://doi.org/10.1007/978-981-97-5101-3_22

2024-07-19

Abstract:Textual passwords are still the most widely used user authentication mechanism. Due to the close connections between textual passwords and natural languages, advanced technologies in natural language processing (NLP) and machine learning (ML) could be used to model passwords for different purposes such as studying human password-creation behaviors and developing more advanced password cracking methods for informing better defence mechanisms. In this paper, we propose PassTSL (modeling human-created Passwords through Two-Stage Learning), inspired by the popular pretraining-finetuning framework in NLP and deep learning (DL). We report how different pretraining settings affected PassTSL and proved its effectiveness by applying it to six large leaked password databases. Experimental results showed that it outperforms five state-of-the-art (SOTA) password cracking methods on password guessing by a significant margin ranging from 4.11% to 64.69% at the maximum point. Based on PassTSL, we also implemented a password strength meter (PSM), and our experiments showed that it was able to estimate password strength more accurately, causing fewer unsafe errors (overestimating the password strength) than two other SOTA PSMs when they produce the same rate of safe errors (underestimating the password strength): a neural-network based method and zxcvbn. Furthermore, we explored multiple finetuning settings, and our evaluations showed that, even a small amount of additional training data, e.g., only 0.1% of the pretrained data, can lead to over 3% improvement in password guessing on average. We also proposed a heuristic approach to selecting finetuning passwords based on JS (Jensen-Shannon) divergence and experimental results validated its usefulness. In summary, our contributions demonstrate the potential and feasibility of applying advanced NLP and ML methods to password modeling and cracking.

Cryptography and Security,Artificial Intelligence,Computation and Language

Jing Zou,Dongdai Lin,Guo-Cui Mi

DOI: https://doi.org/10.1109/icmlc.2011.6016851

2011-01-01

Abstract:Due to the parallel nature of brute force attack, it is well suited to use parallel or distributed computing to recover passwords encrypted by one-way hash functions. When distributing the password cracking task between threads or nodes, it is necessary to divide the search space into several subspaces. It is ideal that the size of these subspaces is the same for a load balanced solution. However, increasing the length of passwords will raise the number of combinations exponentially. This will raises issues for the search space uniform partition. This paper presents a universal distributed model for password cracking capable of dividing the search space evenly. For this, the paper addresses the definition of a base-n-like number, and discusses operations on it and relations with base-n number. The model is data independent, easily implemented and needs a few of communications. Experimental results are then shown.

Yong Fang,Kai Liu,Fan Jing,Zheng Zuo

DOI: https://doi.org/10.1007/978-981-13-5913-2_6

2019-01-01

Abstract:Passwords remain the dominant method in data encryption and identity authentication, but they are vulnerable to guessing attack. Most users incline to choose meaningful words to make up passwords. Lots of these words are human-memorable. In this paper, we propose a hierarchical semantic model that combines LSTM with semantic analysis to implement password guessing. With our model, the potential probability relationship between words can be mined. After training the model with 4.5 million passwords from leaked Chinese passwords, we generate lots of passwords guesses ordered by probability. 0.5 million passwords are reserved for model testing. In addition, we also pick up CSDN passwords, the Rockyou passwords, and Facebook passwords as model-testing sets. Each dataset contains 0.5 million passwords. LSTM-based model, PCFG, and Markov-based model are selected for comparison. Experiments show that our model has a higher coverage rate than the other models of the reserved dataset and CSDN dataset. Besides, our model can hit more passwords for the Rockyou dataset and Facebook dataset than PCFG.

Jun Luo,Jin Deng,Chu Lu,Hong Liu

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00377

2019-01-01

Abstract:Password generation becomes an emerging issue to improve the efficiency of authentication in social engineering and plays an important role in checking the security vulnerability since the weak password may lead to possible attacks for different users. To determine the password vulnerability and to enhance user privacy, a recurrent neural network (i.e., long short-term memory (LSTM) and gated recurrent unit (GRU)) based password generation scheme is proposed for group attribute context-ware applications. In this work, different group attributes are considered for modeling training, natural language processing is adopted for password prediction, and password similarity computing is established for analyzing the group relations. The password strength evaluation is performed on the fixed length password based on generation probability. It indicates that group attributes based password generation model has more accuracy than the ordinary model.

Jiahong Xie,Haibo Cheng,Rong Zhu,Ping Wang,Kaitai Liang

DOI: https://doi.org/10.1109/icassp43922.2022.9746203

2022-01-01

Abstract:To date there are few researches on the semantic information of passwords, which leaves a gap preventing us from fully understanding the passwords characteristic and security. We propose a new password probability model for semantic information based on Markov Chain with both generalization and accuracy, called WordMarkov, that can capture the semantic essence of password samples. Further, we evaluate our design via password guessing attacks, on six real-world datasets, and we show that WordMarkov obtains 24.29%–67.37% improvement over the state-of-the-art password probability models. Even more surprising is that WordMarkov achieves 75.35%–96.34% attack improvement on "long" passwords, indicating the importance of semantic parts in long passwords.

Ding Wang,Yunkai Zou,Yuan-An Xiao,Siqi Ma,Xiaofeng Chen

2023-01-01

Abstract:While password stuffing attacks (that exploit the direct password reuse behavior) have gained considerable attention, only a few studies have examined password tweaking attacks, where an attacker exploits users' indirect reuse behaviors (with edit operations like insertion, deletion, and substitution). For the first time, we model the password tweaking attack as a multi-class classification problem for characterizing users' password edit/modification processes, and propose a generative model coupled with the multi-step decision-making mechanism, called PASS2EDIT, to accurately characterize users' password reuse/modification behaviors. We demonstrate the effectiveness of PASS2EDIT through extensive experiments, which consist of 12 practical attack scenarios and employ 4.8 billion real-world passwords. The experimental results show that PASS2EDIT and its variant significantly improve over the prior art. More specifically, when the victim's password at site A (namely pwA) is known, within 100 guesses, the cracking success rate of PASS2EDIT in guessing her password at site B ( pw(B) not equal pw(A)) is 24.2% (for common users) and 11.7% (for security-savvy users), respectively, which is 18.2%-33.0% higher than its foremost counterparts. Our results highlight that password tweaking is a much more damaging threat to password security than expected.

HONG Meng,QIU Weidong,WANG Yangde

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024008

2024-01-01

Abstract:Password-based authentication has been widely used as the primary authentication mechanism.However,occasional large-scale password leaks have highlighted the vulnerability of passwords to risks such as guessing or theft.In recent years,research on password analysis using natural language processing techniques has progressed,treating passwords as a special form of natural language.Nevertheless,limited studies have investigated the impact of password text segmentation granularity on the effectiveness of password analysis with large language models.A multi-granularity password-analyzing framework was proposed based on a large language model,which follows the pre-training paradigm and autonomously learns prior knowledge of password distribution from large unlabelled da-tasets.The framework comprised three modules:the synchronization network,backbone network,and tail network.The synchronization network module implemented char-level,template-level,and chunk-level password segmenta-tion,extracting knowledge on character distribution,structure,word chunk composition,and other password features.The backbone network module constructed a generic password model to learn the rules governing password compo-sition.The tail network module generated candidate passwords for guessing and analyzing target databases.Experi-mental evaluations were conducted on eight password databases including Tianya and Twitter,analyzing and sum-marizing the effectiveness of the proposed framework under different language environments and word segmenta-tion granularities.The results indicate that in Chinese user scenarios,the performance of the password-analyzing framework based on char-level and chunk-level segmentation is comparable,and significantly superior to the framework based on template-level segmentation.In English user scenarios,the framework based on chunk-level segmentation demonstrates the best password-analyzing performance.

Min Jin,Junbin Ye,Rongxuan Shen,Huaxing Lu

2024-03-15

Abstract:Passwords are the most widely used method of authentication and password guessing is the essential part of password cracking and password security research. The progress of deep learning technology provides a promising way to improve the efficiency of password guessing. However, current research on neural network password guessing methods mostly focuses on model structure and has overlooked the generation method. Due to the randomness of sampling, not only the generated passwords have a large number of duplicates, but also the order in which passwords generated is random, leading to inefficient password attacks. In this paper, we propose SOPG, a search-based ordered password generation method, which enables the password guessing model based on autoregressive neural network to generate passwords in approximately descending order of probability. Experiment on comparison of SOPG and Random sampling shows passwords generated by SOPG do not repeat, and when they reach the same cover rate, SOPG requires fewer inferences and far fewer generated passwords than Random sampling, which brings great efficiency improvement to subsequent password attacks. We build SOPGesGPT, a password guessing model based on GPT, using SOPG to generate passwords. Compared with the most influential models OMEN, FLA, PassGAN, VAEPass and the latest model PassGPT in one-site test, experiments show that SOPGesGPT is far ahead in terms of both effective rate and cover rate. As to cover rate that everyone recognizes, SOPGesGPT reaches 35.06%, which is 254%, 298%, 421%, 380%, 81% higher than OMEN, FLA, PassGAN, VAEPass, and PassGPT respectively.

Cryptography and Security